28 lines
1.1 KiB
Markdown
28 lines
1.1 KiB
Markdown
---
|
||
title: "AWS Inspector"
|
||
type: concept
|
||
tags: ["AWS", "Security", "Vulnerability-Scanning", "Compliance"]
|
||
sources: ["learning-sessions-standard-amis-updates-20231205-160324-meeting-recording-2", "ctp-topic-58-aws-ec2-image-builder"]
|
||
last_updated: 2026-05-08
|
||
---
|
||
|
||
## Definition
|
||
AWS Inspector 是 AWS 原生的安全漏洞扫描服务,在 AMI 构建和发布流程中集成自动化的安全合规检测,识别已知安全漏洞(CVE)和网络暴露问题。
|
||
|
||
## Key Capabilities
|
||
- **CVE 检测**:识别已知安全漏洞
|
||
- **网络可达性分析**:检测意外开放的安全组规则
|
||
- **自动扫描**:集成到 CI/CD 流水线
|
||
- **合规报告**:生成安全扫描报告
|
||
|
||
## Integration in AMI Pipeline
|
||
1. AMI 构建完成后立即触发 Inspector 扫描
|
||
2. 扫描结果与安全基准对比
|
||
3. 发现高危漏洞则阻断发布
|
||
4. 无问题则继续跨区域复制和共享
|
||
|
||
## Connections
|
||
- [[Amazon-Machine-Image]] — Inspector 扫描的对象
|
||
- [[Jenkins-Multi-Branch-Pipeline]] — Inspector 集成在 Jenkins 流水线中
|
||
- [[AWS-Landing-Zone]] — Inspector 是 LZ 安全基础设施的组成部分
|